Inside DOD   Science & Tech

Cyber Criminals Don't 'Brake' for Pandemics

April 20, 2020 | BY Stephen Murphy, DC3 Public Affairs

The ongoing COVID-19 pandemic has resulted in disruptions to everyday life for many, with shelter-in-place and other social distancing requirements implemented throughout the United States and around the world.

Even though many supplies, services and leisure activities have slowed down or come to a screeching halt, the one thing that has remained the same -- or even gained momentum -- is cyberespionage.

From the average citizens who encounter ransomware and malware scams via fraudulent stimulus check scams to the Defense Department-level organizations encountering attempted cyber intrusions and compromises from advanced persistent threat groups, or APT, cyber criminals and APT groups are actively working to exploit the COVID-19 pandemic.

The view from behind a hooded figure, who is looking at several computer screens in a dingy room.
cyber criminals, hackers
The online world can be unfriendly to computers, phones and other connected devices. Learn how to protect your data from hackers who can steal information right out of your wallet.
Photo By: Keith Hayes, Marine Corps
VIRIN: 191126-M-TR039-265

The DoD Cyber Crime Center, located in Linthicum Heights, Maryland, serves as the operational focal point for the Defense Industrial Base Cybersecurity program. DC3 is keeping ahead of APT groups that exploit the COVID-19 pandemic in an attempt to infiltrate and exploit DIB and DOD networks. The center’s DOD-DIB Collaborative Information Sharing Environment, or DCISE, maintains close situational awareness regarding the use of COVID-19-themed social engineering and email phishing scams by cyber actors -- from criminal actors employing ransomware to more sophisticated nation-state operators conducting cyberespionage. 

As the operational arm of the DIB Cybersecurity program, DCISE shares relevant information with more than 700 security-cleared defense contractors who participate in the program. It also fosters a cyber-threat information-sharing partnership with DIB participants by performing cyber analysis, offering mitigation and remediation strategies, providing best practices, conducting analyst-to-analyst exchanges and holding cyber threat-sharing meetings and technical exchanges with DIB participants.

"The public-private partnership that exists between the DIB partner companies and the DOD is built upon a foundation of trust, which is vital to critical cyberthreat information sharing," said DCISE Director Krystal Covey. "This crowd-sourced threat-sharing allows for near real-time collaboration, enabling members of the partnership and U.S. government agencies to potentially detect, deter and remediate before an incident occurs or escalates."

Graphic depicts the act carried out by ransomware. Ransomware attacks effect computers by encrypting all of the information on the devices, and the hackers demand a ransom, usually paid in the form of bitcoins, in return for the decryption key. Generally if a payment isn’t made, the hackers leave them permanently encrypted with no way to pay the ransom to unlock the encrypted files.(U.S.Air Force Graphic by Adam Butterick)
Ransomware
Graphic depicts the act carried out by ransomware. Ransomware attacks effect computers by encrypting all of the information on the devices, and the hackers demand a ransom, usually paid in the form of bitcoins, in return for the decryption key. Generally if a payment isn’t made, the hackers leave them permanently encrypted with no way to pay the ransom to unlock the encrypted files.(U.S.Air Force Graphic by Adam Butterick)
Photo By: Adam Butterick
VIRIN: 170606-F-AY392-0001

The DCISE has processed multiple DIB reports specific to COVID-19-themed schemes during the past month. Domain masquerading is heavily used in these schemes. One partner company reported receiving an email from the Centers for Disease Control and Prevention with a link to a credential-harvesting site.

A DIB cybersecurity program voluntary partner notified DCISE in late March that a U.S. government Central Authentication Service login service was using a web service as an open redirect (proxy) to commit COVID-19 phishing. 

Access denied page
AF calling for higher standard with cybersecurity
Airman 1st Class Belinda Mykham, 744th Communications Squadron visual imagery intrusion detections systems maintenance technician, demonstrates what a restricted site link looks like on a government computer at Joint Base Andrews, Md., May 18, 2018. The 744th Communications Squadron says every Airman is responsible for safeguarding the protection of information and security of JBA in the work center. (This image was blurred to protect sensitive information.) (U.S. Air Force photo by Airman Michael S. Murphy)
Photo By: Airman Michael S. Murphy
VIRIN: 180518-F-SP573-1015

The DIB partner requested DCISE alert the government for remediation. DCISE informed government points of contact the same day. The government entity advised March 26 that the asset in question was taken offline and an investigation was underway. The same entity also requested DIB cybersecurity program partner point-of-contact information to engage and ensure they had all relevant technical details.

"This scenario highlights that the DIB cybersecurity voluntary program provides critical communication and benefits beyond its immediate scope and mission, such as identifying issues with government information technology assets and ensuring notification to the correct government contact, even during an unprecedented pandemic," Covey said.

DCISE monitors evolving cyber activities that exploit the pandemic and will ensure the DIB partnership and the U.S. government are fully informed to better protect their respective network environments. The DCISE will continue processing all submissions from its partners and encourage maximum cyber threat collaboration during this challenging time. This type of public-private communication demonstrates DCISE and the DIB cybersecurity program’s role in protecting critical DOD assets.